diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go
index 36f2eac5a2bc..8518ac95fbef 100644
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@@ -391,11 +391,10 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
 		}
 	}
 	if len(c.EchConfig) > 0 {
-		ECHConfig, err := base64.StdEncoding.DecodeString(c.EchConfig)
+		err := ApplyECH(c, config)
 		if err != nil {
-			errors.LogError(context.Background(), "invalid ECH config")
+			errors.LogError(context.Background(), err)
 		}
-		config.EncryptedClientHelloConfigList = ECHConfig
 	}
 
 	return config
diff --git a/transport/internet/tls/ech.go b/transport/internet/tls/ech.go
new file mode 100644
index 000000000000..db7ba2bb2cd9
--- /dev/null
+++ b/transport/internet/tls/ech.go
@@ -0,0 +1,21 @@
+//go:build go1.23
+// +build go1.23
+
+package tls
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+
+	"github.com/xtls/xray-core/common/errors"
+)
+
+func ApplyECH(c *Config, config *tls.Config) error {
+	ECHConfig, err := base64.StdEncoding.DecodeString(c.EchConfig)
+	if err != nil {
+		errors.LogError(context.Background(), "invalid ECH config")
+	}
+	config.EncryptedClientHelloConfigList = ECHConfig
+	return nil
+}
diff --git a/transport/internet/tls/ech_go121.go b/transport/internet/tls/ech_go121.go
new file mode 100644
index 000000000000..4d77ac5ac10a
--- /dev/null
+++ b/transport/internet/tls/ech_go121.go
@@ -0,0 +1,14 @@
+//go:build !go1.23
+// +build !go1.23
+
+package tls
+
+import (
+	"crypto/tls"
+
+	"github.com/xtls/xray-core/common/errors"
+)
+
+func ApplyECH(c *Config, config *tls.Config) error {
+	return errors.New("Win7 does not support ECH")
+}